Bug Bounty Programs Paying Off for Vendors, Security Researchers

Bug Bounty Programs Paying Off for Vendors, Security Researchers

More companies are finding bug bounty programs to be an effective method of improving security. And Bugcrowd’s recent bug bounty report bears that out.

Private Bug Bounty Programs Growing Fast

Bugcrowd operates both public and invitation-only private bug bounty programs. Over the last 30 months, Bugcrowd has found a 36.1 percent submission success rate with invitation-only programs, in contrast to an 18 percent valid bug submission rate for public programs.

India Is the Top Bug Submission Country

India is the top source for bug report submissions, followed by the United States and the United Kingdom.

XSS Is the Top Vulnerability Type

Bugcrowd’s community submitted multiple types of vulnerabilities, with cross-site scripting (XSS) topping the list at 17.9 percent. However, Bugcrowd identifies a whopping 67.7 percent of bug types as “other.”

Information Leakage Bugs Often Submitted

Looking into the 67.7 percent of vulnerability types that Bugcrowd has classified as “other,” information leakage is identified as one of the most submitted types of flaws.

Average Payment per Bug Is $200

While bug payments vary, the average reward reported by Bugcrowd in 2015 now stands at $200, which is a marginal increase from the $180 average in 2013.

Top Payment Was $10,000

While the average bug payout is $200, the top bug reward reported by Bugcrowd was a $10,000 award paid out in the second quarter of 2014. The big payout was made for a cross-site request forgery (CSRF) vulnerability.

Total Bug Bounty Payout to Date: $724,014.02

For the 30-month period that the report covered, Bugcrowd’s clients paid out a total of $724,014.02 to 566 different researchers.